The Tor Browser / file diff

diff: content/base/test/file_mixed_content_main.html

content/base/test/file_mixed_content_main.html

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/content/base/test/file_mixed_content_main.html	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,212 @@
     1.4 +<!DOCTYPE HTML>
     1.5 +<html>
     1.6 +<!--
     1.7 +Tests for Mixed Content Blocker
     1.8 +https://bugzilla.mozilla.org/show_bug.cgi?id=62178
     1.9 +-->
    1.10 +<head>
    1.11 +  <meta charset="utf-8">
    1.12 +  <title>Tests for Bug 62178</title>
    1.13 +  <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
    1.14 +</head>
    1.15 +<body>
    1.16 +<div id="testContent"></div>
    1.17 +
    1.18 +<!-- types the Mixed Content Blocker can block
    1.19 +     /*
    1.20 +  switch (aContentType) {
    1.21 +  case nsIContentPolicy::TYPE_OBJECT:
    1.22 +  case nsIContentPolicy::TYPE_SCRIPT:
    1.23 +  case nsIContentPolicy::TYPE_STYLESHEET:
    1.24 +  case nsIContentPolicy::TYPE_SUBDOCUMENT:
    1.25 +  case nsIContentPolicy::TYPE_XMLHTTPREQUEST:
    1.26 +
    1.27 +  case nsIContentPolicy::TYPE_FONT: - NO TEST:
    1.28 +    Load events for external fonts are not detectable by javascript.
    1.29 +  case nsIContentPolicy::TYPE_WEBSOCKET: - NO TEST:
    1.30 +    websocket connections over https require an encrypted websocket protocol (wss:)
    1.31 +
    1.32 +  case nsIContentPolicy::TYPE_IMAGE:
    1.33 +  case nsIContentPolicy::TYPE_MEDIA:
    1.34 +  case nsIContentPolicy::TYPE_PING:
    1.35 +    our ping implementation is off by default and does not comply with the current spec (bug 786347)
    1.36 +  case nsIContentPolicy::TYPE_BEACON:
    1.37 +
    1.38 +  }
    1.39 +     */
    1.40 +-->
    1.41 +
    1.42 +<script>
    1.43 +  var baseUrl = "http://example.com/tests/content/base/test/file_mixed_content_server.sjs";
    1.44 +
    1.45 +  //For tests that require setTimeout, set the maximum polling time to 100 x 100ms = 10 seconds.
    1.46 +  var MAX_COUNT = 100;
    1.47 +  var TIMEOUT_INTERVAL = 100;
    1.48 +
    1.49 +  var testContent = document.getElementById("testContent");
    1.50 +
    1.51 +  /* Part 1: Mixed Script tests */
    1.52 +
    1.53 +  // Test 1a: insecure object
    1.54 +  var object = document.createElement("object");
    1.55 +  object.data = baseUrl + "?type=object";
    1.56 +  object.type = "application/x-test";
    1.57 +  object.width = "200";
    1.58 +  object.height = "200";
    1.59 +
    1.60 +  testContent.appendChild(object);
    1.61 +
    1.62 +  var objectCount = 0;
    1.63 +
    1.64 +  function objectStatus(object) {
    1.65 +    // Expose our privileged bits on the object
    1.66 +    object = SpecialPowers.wrap(object);
    1.67 +
    1.68 +    if (object.displayedType != SpecialPowers.Ci.nsIObjectLoadingContent.TYPE_NULL) {
    1.69 +      //object loaded
    1.70 +      parent.postMessage({"test": "object", "msg": "insecure object loaded"}, "http://mochi.test:8888");
    1.71 +    }
    1.72 +    else {
    1.73 +      if(objectCount < MAX_COUNT) {
    1.74 +        objectCount++;
    1.75 +        setTimeout(objectStatus, TIMEOUT_INTERVAL, object);
    1.76 +      }
    1.77 +      else {
    1.78 +        //After we have called setTimeout the maximum number of times, assume object is blocked
    1.79 +        parent.postMessage({"test": "object", "msg": "insecure object blocked"}, "http://mochi.test:8888");
    1.80 +      }
    1.81 +    }
    1.82 +  }
    1.83 +
    1.84 +  // object does not have onload and onerror events. Hence we need a setTimeout to check the object's status
    1.85 +  setTimeout(objectStatus, TIMEOUT_INTERVAL, object);
    1.86 +
    1.87 +  // Test 1b: insecure script
    1.88 +  var script = document.createElement("script");
    1.89 +  var scriptLoad = false;
    1.90 +  var scriptCount = 0;
    1.91 +  script.src = baseUrl + "?type=script";
    1.92 +  script.onload = function() {
    1.93 +    parent.postMessage({"test": "script", "msg": "insecure script loaded"}, "http://mochi.test:8888");
    1.94 +    scriptLoad = true;
    1.95 +  }
    1.96 +  testContent.appendChild(script);
    1.97 +
    1.98 +  function scriptStatus(script)
    1.99 +  {
   1.100 +    if(scriptLoad) {
   1.101 +      return;
   1.102 +    }
   1.103 +    else {
   1.104 +      if(scriptCount < MAX_COUNT) {
   1.105 +        scriptCount++;
   1.106 +        setTimeout(scriptStatus, TIMEOUT_INTERVAL, script);
   1.107 +      }
   1.108 +      else {
   1.109 +        //After we have called setTimeout the maximum number of times, assume script is blocked
   1.110 +        parent.postMessage({"test": "script", "msg": "insecure script blocked"}, "http://mochi.test:8888");
   1.111 +      }
   1.112 +    }
   1.113 +  }
   1.114 +
   1.115 +  // scripts blocked by Content Policy's do not have onerror events (see bug 789856).  Hence we need a setTimeout to check the script's status
   1.116 +  setTimeout(scriptStatus, TIMEOUT_INTERVAL, script);
   1.117 +
   1.118 +
   1.119 +  // Test 1c: insecure stylesheet
   1.120 +  var cssStyleSheet = document.createElement("link");
   1.121 +  cssStyleSheet.rel = "stylesheet";
   1.122 +  cssStyleSheet.href = baseUrl + "?type=stylesheet";
   1.123 +  cssStyleSheet.type = "text/css";
   1.124 +  testContent.appendChild(cssStyleSheet);
   1.125 +
   1.126 +  var styleCount = 0;
   1.127 +
   1.128 +  function styleStatus(cssStyleSheet) {
   1.129 +    if( cssStyleSheet.sheet || cssStyleSheet.styleSheet || cssStyleSheet.innerHTML ) {
   1.130 +      parent.postMessage({"test": "stylesheet", "msg": "insecure stylesheet loaded"}, "http://mochi.test:8888");
   1.131 +    } 
   1.132 +    else {
   1.133 +      if(styleCount < MAX_COUNT) {
   1.134 +        styleCount++;
   1.135 +        setTimeout(styleStatus, TIMEOUT_INTERVAL, cssStyleSheet);
   1.136 +      }
   1.137 +      else {
   1.138 +        //After we have called setTimeout the maximum number of times, assume stylesheet is blocked
   1.139 +        parent.postMessage({"test": "stylesheet", "msg": "insecure stylesheet blocked"}, "http://mochi.test:8888");
   1.140 +      }
   1.141 +    }
   1.142 +  }
   1.143 +
   1.144 +  // link does not have onload and onerror events. Hence we need a setTimeout to check the link's status
   1.145 +  window.setTimeout(styleStatus, TIMEOUT_INTERVAL, cssStyleSheet);
   1.146 +
   1.147 +  // Test 1d: insecure iframe
   1.148 +  var iframe = document.createElement("iframe");
   1.149 +  iframe.src = baseUrl + "?type=iframe";
   1.150 +  iframe.onload = function() {
   1.151 +    parent.postMessage({"test": "iframe", "msg": "insecure iframe loaded"}, "http://mochi.test:8888");
   1.152 +  }
   1.153 +  iframe.onerror = function() {
   1.154 +    parent.postMessage({"test": "iframe", "msg": "insecure iframe blocked"}, "http://mochi.test:8888");
   1.155 +  };
   1.156 +  testContent.appendChild(iframe);
   1.157 +
   1.158 +
   1.159 +  // Test 1e: insecure xhr
   1.160 +  var xhrsuccess = true;
   1.161 +  var xhr = new XMLHttpRequest;
   1.162 +  try {
   1.163 +    xhr.open("GET", baseUrl + "?type=xhr", true);
   1.164 +  } catch(ex) {
   1.165 +     xhrsuccess = false;
   1.166 +     parent.postMessage({"test": "xhr", "msg": "insecure xhr blocked"}, "http://mochi.test:8888");
   1.167 +  }
   1.168 +
   1.169 +  if(xhrsuccess) {
   1.170 +    xhr.onreadystatechange = function (oEvent) {
   1.171 +      var result = false;
   1.172 +      if (xhr.readyState == 4) {
   1.173 +        if (xhr.status == 200) {
   1.174 +          parent.postMessage({"test": "xhr", "msg": "insecure xhr loaded"}, "http://mochi.test:8888");
   1.175 +        }
   1.176 +        else {
   1.177 +          parent.postMessage({"test": "xhr", "msg": "insecure xhr blocked"}, "http://mochi.test:8888");
   1.178 +        }
   1.179 +      }
   1.180 +    }
   1.181 +
   1.182 +    xhr.send(null);
   1.183 +  }
   1.184 +
   1.185 +  /* Part 2: Mixed Display tests */
   1.186 +
   1.187 +  // Test 2a: insecure image
   1.188 +  var img = document.createElement("img");
   1.189 +  img.src = "http://mochi.test:8888/tests/image/test/mochitest/blue.png";
   1.190 +  img.onload = function() {
   1.191 +    parent.postMessage({"test": "image", "msg": "insecure image loaded"}, "http://mochi.test:8888");
   1.192 +  }
   1.193 +  img.onerror = function() {
   1.194 +    parent.postMessage({"test": "image", "msg": "insecure image blocked"}, "http://mochi.test:8888");
   1.195 +  }
   1.196 +  // We don't need to append the image to the document. Doing so causes the image test to run twice.
   1.197 +
   1.198 +
   1.199 +  // Test 2b: insecure media
   1.200 +  var media = document.createElement("video");
   1.201 +  media.src = "http://mochi.test:8888/tests/content/media/test/320x240.ogv?" + Math.floor((Math.random()*1000)+1);
   1.202 +  media.width = "320";
   1.203 +  media.height = "200";
   1.204 +  media.type = "video/ogg";
   1.205 +  media.onloadeddata = function() {
   1.206 +    parent.postMessage({"test": "media", "msg": "insecure media loaded"}, "http://mochi.test:8888");
   1.207 +  }
   1.208 +  media.onerror = function() {
   1.209 +    parent.postMessage({"test": "media", "msg": "insecure media blocked"}, "http://mochi.test:8888");
   1.210 +  }
   1.211 +  // We don't need to append the video to the document. Doing so causes the image test to run twice.
   1.212 +
   1.213 +</script>
   1.214 +</body>
   1.215 +</html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial